As cybersecurity information sharing legislation advances in Congress, concerns continue to abound regarding the types of information that could be shared if these new laws are passed. Privacy advocates’ unease over protection of personally identifiable information is understandable considering the current state of government information collection. Their reactions to this legislation continue to stoke fears of increased and overbroad government surveillance.
Unfortunately, these contentious privacy debates conflate the information companies would actually need to share in the event of an attack with sensitive consumer information. This difference is important to get right, or else the ongoing privacy debate will serve only as an obstacle to effective information sharing legislation. With a careful examination of what cybersecurity information sharing truly entails and a deeper understanding of how the Internet’s network infrastructure works, it should become clear that information sharing is an important step towards securing America’s networks – not a golden ticket for the government to collect companies’ sensitive data or citizens’ personal information.
First, it is important to consider what cybersecurity information sharing really is: controlled sharing of specific data which supports the construction of stronger networks. The information sharing that legislation introduced in the 114th Congress aims to foster does not include the oversharing of corporate data or the sending of detailed consumer data to government agencies for unknown purposes. Information sharing is about informing the different stakeholders on a network as to who is attacking a system, how they are doing it, and what they are looking for. Similar to physical robberies, cyber-attacks have “signatures” and patterns of behavior that show how that attack was performed and how hackers were able to penetrate system defenses. These clues, if shared in a timely and efficient manner, can lead to better monitoring for similar signatures and patterns across networks, ultimately preventing future cyber-attacks.
Furthermore, fears of information sharing legislation’s threats to consumer privacy are fueled by a misunderstanding of what information is needed for network security. Transparency, accountability and trust are requirements for any cybersecurity information sharing environment to function effectively. Clear guidelines that determine what and how information will be shared must be set, so that companies are comfortable disclosing real-time threat information with one another and with the government. Since corporate legal advisors have concerns about litigation liability, customer privacy, and potential government regulatory actions as a consequence of information they share, companies will not contribute to any such system unless their concerns and exposure to risk are mitigated. In this way, the incentives of these corporations are more aligned with consumer interests than some privacy advocates would admit.
So, what is there to do? Clear rules must be established which address the concerns of the private sector and make it clear that contributing to an agreed-upon information sharing repository will only result in enhanced protection for all stakeholders. Furthermore, protection of personal information must be a fundamental part of the agreement among all parties who share information. The Senate’s Cybersecurity Information Sharing Act and the House’s Protecting Cyber Networks Act are a good start down this path. Enabling fast information sharing that exposes stakeholders to minimal risk will support a stronger cyber defense, help networks endure attacks, and keep future attack attempts on the outside of the digital wall. If our goal is to enhance connectivity, communications, and commerce over the Internet, then we need a sizeable fortress to ensure its security for all who use it.